View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0006253||CentOS-6||kernel||public||2013-02-14 01:54||2013-02-19 14:03|
|Target Version||Fixed in Version|
|Summary||0006253: software interrupt percentage goes to 100% when under load from esp|
|Description||We have a site-to-site VPN between a Cisco ASA and a pair of Linux routers which operate our offsite datacenter for stackoverflow.com. When we turn on SQL replication over the link, software interrupts peg a core at 100% and the ethernet stack becomes so sluggish that performance of the rest of the network is degraded.|
Unfortunately I don't have a tremendous amount of detail to provide but will happily do whatever steps required to help pinpoint this issue.
|Steps To Reproduce||1) setup site-to-site ipsec vpn with KAME-tools, using the kernel built-in esp processor (PF_KEY?)|
2) put said vpn tunnel under load
3) watch top in cpu detail mode where a core locks at 100%si
|Tags||No tags attached.|
As an update to this, another person on the internet happened upon this issue (http://www.couyon.net/1/post/2013/02/ipsec-on-rhel6centos6-dont-do-it.html) and found that upping the "/proc/sys/net/ipv4/xfrm4_gc_thresh" value abated the issue.
We tested elrepo-kernel-ml to see if the problem persists and it does, leading me to believe this is a longstanding kernel issue.